Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter, Georgia Institute of Technology; Benjamin Mood, University of Oregon; Patrick Traynor, Georgia Institute of Technology; Kevin Butler, University of Oregon This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter Benjamin Mood Georgia Institute of Technology University of Oregon [email protected] [email protected] Patrick Traynor Kevin Butler Georgia Institute of Technology University of Oregon [email protected] [email protected] Abstract ity even after the discovery of Yao’s garbled circuit [43], recent advances in this space have made such computa- Garbled circuits provide a powerful tool for jointly tion increasingly practical. Today, functions as complex evaluating functions while preserving the privacy of each as AES-128 and approaching one billion gates in size are user’s inputs. While recent research has made the use possible at reasonable throughputs, even in the presence of this primitive more practical, such solutions generally of a malicious adversary. assume that participants are symmetrically provisioned While recent research has made the constructions in with massive computing resources. In reality, most peo- this space appreciably more performant, the majority of ple on the planet only have access to the comparatively related work makes a crucial assumption - that both par- sparse computational resources associated with their mo- ties are symmetrically provisioned with massive comput- bile phones, and those willing and able to pay for ac- ing resources. For instance, Kreuter et al. [25] rely on the cess to public cloud computing infrastructure cannot be Ranger cluster at the Texas Advanced Computing Center assured that their data will remain unexposed. We ad- to compute their results using 512 cores. In reality, the dress this problem by creating a new SFE protocol that extent of a user’s computing power may be their mobile allows mobile devices to securely outsource the major- phone, which has many orders of magnitude less compu- ity of computation required to evaluate a garbled circuit. tational ability. Moreover, even with access to a public Our protocol, which builds on the most efficient gar- compute cloud such as Amazon EC2 or Windows Azure, bled circuit evaluation techniques, includes a new out- the sensitive nature of the user’s data and the history of sourced oblivious transfer primitive that requires signifi- data leakage from cloud services [40, 42] prevent the di- cantly less bandwidth and computation than standard OT rect porting of known SFE techniques. primitives and outsourced input validation techniques that force the cloud to prove that it is executing all pro- In this paper, we develop mechanisms for the secure tocols correctly. After showing that our extensions are outsourcing of SFE computation from constrained de- secure in the malicious model, we conduct an extensive vices to more capable infrastructure. Our protocol main- performance evaluation for a number of standard SFE tains the privacy of both participant’s inputs and outputs test applications as well as a privacy-preserving naviga- while significantly reducing the computation and net- tion application designed specifically for the mobile use- work overhead required by the mobile device for garbled case. Our system reduces execution time by 98.92% and circuit evaluation. We develop a number of extensions bandwidth by 99.95% for the edit distance problem of to allow the mobile device to check for malicious behav- size 128 compared to non-outsourced evaluation. These ior from the circuit generator or the cloud and a novel results show that even the least capable devices are ca- Outsourced Oblivious Transfer for sending garbled input pable of evaluating some of the largest garbled circuits data to the cloud. We then implement the new proto- generated for any platform. col on a commodity mobile device and reasonably provi- sioned servers and demonstrate significant performance 1 Introduction improvements over evaluating garbled circuits directly on the mobile device. Secure Function Evaluation (SFE) allows two parties to We make the following contributions: compute the result of a function without either side hav- Outsourced oblivious transfer & outsourced con- • ing to expose their potentially sensitive inputs to the sistency checks: Instead of blindly trusting the other. While considered a generally theoretical curios- cloud with sensitive inputs, we develop a highly 1 USENIX Association 22nd USENIX Security Symposium 289 efficient Outsourced Oblivious Transfer primitive how this paper differs from Salus; Section 3 provides that allows mobile devices to securely delegate the cryptographic assumptions and definitions; Section 4 for- majority of computation associated with oblivious mally describes our protocols; Section 5 provides secu- transfers. We also provide mechanisms to outsource rity discussion - we direct readers to our technical re- consistency checks to prevent a malicious circuit port [6] for full security proofs; Section 6 shows the re- generator from providing corrupt garbled values. sults of our extensive performance analysis; Section 7 These checks are designed in such a way that the presents our privacy preserving navigation application computational load is almost exclusively on the for mobile phones; and Section 8 provides concluding cloud, but cannot be forged by a malicious or “lazy” remarks. cloud. We demonstrate that both of our additions are secure in the malicious model as defined by Ka- 2 Related Work mara et al. [21]. Performance Analysis: Extending upon the imple- • Beginning with Fairplay [32], several secure two-party mentation by Kreuter et al. [25], we conduct an ex- computation implementations and applications have tensive performance analysis against a number of been developed using Yao garbled circuits [43] in the simple applications (e.g., edit distance) and crypto- semi-honest adversarial model [3, 15, 17, 19, 26, 28, 31, graphic benchmarks (e.g., AES-128). Our results 38]. However, a malicious party using corrupted in- show that outsourcing SFE provides improvements puts or circuits can learn more information about the to both execution time and bandwidth overhead. For other party’s inputs in these constructions [23]. To re- the edit distance problem of size 128, we reduce ex- solve these issues, new protocols have been developed to ecution time by 98.92% and bandwidth by 99.95% achieve security in the malicious model, using cut-and- compared to direct execution without outsourcing choose constructions [30], input commitments [41], and on the mobile device. other various techniques [22,34]. To improve the perfor- Privacy Preserving Navigation App: To demon- • mance of these schemes in both the malicious and semi- strate the practical need for our techniques, we de- honest adversarial models, a number of circuit optimiza- sign and implement an outsourced version of Dijk- tion techniques have also been developed to reduce the stra’s shortest path algorithm as part of a Naviga- cost of generating and evaluating circuits [8, 11, 24, 35]. tion mobile app. Our app provides directions for Kreuter et al. [25] combined several of these techniques a Presidential motorcade without exposing its loca- into a general garbled circuit protocol that is secure in tion, destination, or known hazards that should be the malicious model and can efficiently evaluate circuits avoided (but remain secret should the mobile device on the order of billions of gates using parallelized server- be compromised). The optimized circuits generated class machines. This SFE protocol is currently the most for this app represent the largest circuits evaluated efficient implementation that is fully secure in the mali- to date. Without our outsourcing techniques, such cious model. (The dual execution construction by Huang an application is far too processor, memory and et al. leaks one bit of input [16].) bandwidth intensive for any mobile phone. Garbled circuit protocols rely on oblivious transfer While this work is similar in function and provides schemes to exchange certain private values. While sev- equivalent security guarantees to the Salus protocols re- eral OT schemes of various efficiencies have been de- cently developed by Kamara et al. [21], our approach veloped [1, 30, 36, 39], Ishai et al. demonstrated that any is dramatically different. The Salus protocol frame- of these schemes can be extended to reduce kc oblivi- work builds their scheme on a completely different as- ous transfers to k oblivious transfers for any given con- sumption, specifically, that they are outsourcing work stant c [18]. Using this extension, exchanging potentially from low-computation devices with high communication large inputs to garbled circuits became much less costly bandwidth. With provider-imposed bandwidth caps and in terms of cryptographic operations and network over- relatively slow and unreliable cellular data connections, head. Even with this drastic improvement in efficiency, this is not a realistic assumption when developing solu- oblivious transfers still tend to be a costly step in evalu- tions in the mobile environment. Moreover, rather than ating garbled circuits. providing a proof-of-concept work